Simplify Maintenance and Security with User Groups

by Anurag Barua, Independent SAP Advisor

November 15, 2008

User groups are a convenient technique to group users and treat them as one entity in terms of their privileges and behavior. See a method for setting them up in your system with some considerations from a security and user administration perspective.

Key Concept

Users can be grouped in different combinations such as those associated with a particular set of common business processes. For example, if you have a set of buyers that uses the purchasing/procurement functionality in SAP Materials Management (MM), you can put them in the same user group and then treat them as a single entity. There is no restriction on the number of user groups to which a user can be assigned, but there is some rationale in doing so in a manner that doesn’t cause Segregation of Duties conflicts.

Often, you need to carry out the same change for a number of users. This mass user change becomes tedious if you have a large number of users in your system that needs the same changes. To avoid this problem, you can set up user groups. Instead of selecting users one at a time, you can select all that belong to a particular group and then apply this mass change in transaction SU10.

A good example of this is the temporary locking of regular users when certain system maintenance activities, such as the application of Support Packages, are carried out. You may have four user groups in your system: end users, developers, configurators, and administrators. You can choose users in the first three groups and lock them out. Other examples are adding or deleting parameter IDs (PIDs) or system defaults. Or imagine this example in the security administration realm. If you want to provide a set of users with similar privileges, you can add this particular role to the user group in this mass change process instead of having to do so individually. Similarly, if you need to make a change to an existing privilege to the same group, all you need to do is tweak the role to affect the entire group.

You can also delegate user administration tasks to other individuals. This is especially helpful when you have a large user community and maintenance of users on an individual level becomes onerous. You can make certain individuals — other than your SAP NetWeaver administrators — responsible for one or more of the user groups. This delegation helps in better load balancing among your administrators. Also, because the person that is delegated to be the administrator of a particular user group is likely to understand the needs of that particular user group better, this delegation aids in better decision making.

Would you like to see this full item?

Anurag Barua

Anurag Barua is an independent SAP advisor. He has 23 years of experience in conceiving, designing, managing, and implementing complex software solutions, including more than 17 years of experience with SAP applications. He has been associated with several SAP implementations in various capacities. His core SAP competencies include FI and Controlling FI/CO, logistics, SAP BW, SAP BusinessObjects, Enterprise Performance Management, SAP Solution Manager, Governance, Risk, and Compliance (GRC), and project management. He is a frequent speaker at SAPinsider conferences and contributes to several publications. He holds a BS in computer science and an MBA in finance. He is a PMI-certified PMP, a Certified Scrum Master (CSM), and is ITIL V3F certified.

Anurag will be presenting at the upcoming Managing Your SAP Projects 2017 conference, October 24-26, 2017, in Copenhagen. For information on the event, click here. Anurag will also be presenting at the Managing Your SAP Projects 2017 conference, November 29-December 1, 2017, in Las Vegas. For information on that event, click here.